deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Fix issues

Browse Source
This commit is contained in:
Vinay Pamnani 2023-02-28 13:20:28 -05:00
parent 0e79901e8c
commit df59568106
7 changed files with 475 additions and 469 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.openpublishing.redirection.json
View File

@ -20532,7 +20532,7 @@
},
{
"source_path": "windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md",
"redirect_url": "/windows/client-management/mdm/windows/enterprisedesktopappmanagement-csp#downloadinstall-xsd-schema",
"redirect_url": "/windows/client-management/mdm/enterprisedesktopappmanagement-csp#downloadinstall-xsd-schema",
"redirect_document_id": true
},
{

3
windows/client-management/mdm/assignedaccess-csp.md
View File

@ -324,8 +324,7 @@ This node accepts a ShellLauncherConfiguration xml as input.
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
In **Windows 10, version 1903**, Shell Launcher V2 was introduced to support both UWP and Win32 apps as the custom shell.
- For more information on the schema, see [ShellLauncherConfiguration XSD](#shelllauncherconfiguration-xsd).
- For more information, see [Shell Launcher](/windows/configuration/kiosk-shelllauncher).
For more information, see [Shell Launcher](/windows/configuration/kiosk-shelllauncher).
> [!IMPORTANT]
> You can't set both ShellLauncher and KioskModeApp at the same time on the device.

180
windows/client-management/mdm/defender-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Defender CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 02/17/2023
ms.date: 02/28/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -21,92 +21,90 @@ ms.topic: reference
<!-- Defender-Editable-End -->
<!-- Defender-Tree-Begin -->
The following example shows the Defender configuration service provider in tree format.
The following list shows the Defender configuration service provider nodes:
```text
./Device/Vendor/MSFT/Defender
--- Configuration
------ AllowDatagramProcessingOnWinServer
------ AllowNetworkProtectionDownLevel
------ AllowNetworkProtectionOnWinServer
------ ASROnlyPerRuleExclusions
------ DataDuplicationDirectory
------ DataDuplicationLocalRetentionPeriod
------ DataDuplicationRemoteLocation
------ DefaultEnforcement
------ DeviceControl
--------- PolicyGroups
------------ {GroupId}
--------------- GroupData
--------- PolicyRules
------------ {RuleId}
--------------- RuleData
------ DeviceControlEnabled
------ DisableCpuThrottleOnIdleScans
------ DisableDnsOverTcpParsing
------ DisableDnsParsing
------ DisableFtpParsing
------ DisableGradualRelease
------ DisableHttpParsing
------ DisableInboundConnectionFiltering
------ DisableLocalAdminMerge
------ DisableNetworkProtectionPerfTelemetry
------ DisableRdpParsing
------ DisableSmtpParsing
------ DisableSshParsing
------ DisableTlsParsing
------ EnableDnsSinkhole
------ EnableFileHashComputation
------ EngineUpdatesChannel
------ HideExclusionsFromLocalAdmins
------ IntelTDTEnabled
------ MeteredConnectionUpdates
------ PassiveRemediation
------ PlatformUpdatesChannel
------ RandomizeScheduleTaskTimes
------ ScanOnlyIfIdleEnabled
------ SchedulerRandomizationTime
------ SecurityIntelligenceUpdatesChannel
------ SupportLogLocation
------ TamperProtection
------ ThrottleForScheduledScanOnly
--- Detections
------ {ThreatId}
--------- Category
--------- CurrentStatus
--------- ExecutionStatus
--------- InitialDetectionTime
--------- LastThreatStatusChangeTime
--------- Name
--------- NumberOfDetections
--------- Severity
--------- URL
--- Health
------ ComputerState
------ DefenderEnabled
------ DefenderVersion
------ EngineVersion
------ FullScanOverdue
------ FullScanRequired
------ FullScanSigVersion
------ FullScanTime
------ IsVirtualMachine
------ NisEnabled
------ ProductStatus
------ QuickScanOverdue
------ QuickScanSigVersion
------ QuickScanTime
------ RebootRequired
------ RtpEnabled
------ SignatureOutOfDate
------ SignatureVersion
------ TamperProtectionEnabled
--- OfflineScan
--- RollbackEngine
--- RollbackPlatform
--- Scan
--- UpdateSignature
```
- ./Device/Vendor/MSFT/Defender
- [Configuration](#configuration)
- [AllowDatagramProcessingOnWinServer](#configurationallowdatagramprocessingonwinserver)
- [AllowNetworkProtectionDownLevel](#configurationallownetworkprotectiondownlevel)
- [AllowNetworkProtectionOnWinServer](#configurationallownetworkprotectiononwinserver)
- [ASROnlyPerRuleExclusions](#configurationasronlyperruleexclusions)
- [DataDuplicationDirectory](#configurationdataduplicationdirectory)
- [DataDuplicationLocalRetentionPeriod](#configurationdataduplicationlocalretentionperiod)
- [DataDuplicationRemoteLocation](#configurationdataduplicationremotelocation)
- [DefaultEnforcement](#configurationdefaultenforcement)
- [DeviceControl](#configurationdevicecontrol)
- [PolicyGroups](#configurationdevicecontrolpolicygroups)
- [{GroupId}](#configurationdevicecontrolpolicygroupsgroupid)
- [GroupData](#configurationdevicecontrolpolicygroupsgroupidgroupdata)
- [PolicyRules](#configurationdevicecontrolpolicyrules)
- [{RuleId}](#configurationdevicecontrolpolicyrulesruleid)
- [RuleData](#configurationdevicecontrolpolicyrulesruleidruledata)
- [DeviceControlEnabled](#configurationdevicecontrolenabled)
- [DisableCpuThrottleOnIdleScans](#configurationdisablecputhrottleonidlescans)
- [DisableDnsOverTcpParsing](#configurationdisablednsovertcpparsing)
- [DisableDnsParsing](#configurationdisablednsparsing)
- [DisableFtpParsing](#configurationdisableftpparsing)
- [DisableGradualRelease](#configurationdisablegradualrelease)
- [DisableHttpParsing](#configurationdisablehttpparsing)
- [DisableInboundConnectionFiltering](#configurationdisableinboundconnectionfiltering)
- [DisableLocalAdminMerge](#configurationdisablelocaladminmerge)
- [DisableNetworkProtectionPerfTelemetry](#configurationdisablenetworkprotectionperftelemetry)
- [DisableRdpParsing](#configurationdisablerdpparsing)
- [DisableSmtpParsing](#configurationdisablesmtpparsing)
- [DisableSshParsing](#configurationdisablesshparsing)
- [DisableTlsParsing](#configurationdisabletlsparsing)
- [EnableDnsSinkhole](#configurationenablednssinkhole)
- [EnableFileHashComputation](#configurationenablefilehashcomputation)
- [EngineUpdatesChannel](#configurationengineupdateschannel)
- [HideExclusionsFromLocalAdmins](#configurationhideexclusionsfromlocaladmins)
- [IntelTDTEnabled](#configurationinteltdtenabled)
- [MeteredConnectionUpdates](#configurationmeteredconnectionupdates)
- [PassiveRemediation](#configurationpassiveremediation)
- [PlatformUpdatesChannel](#configurationplatformupdateschannel)
- [RandomizeScheduleTaskTimes](#configurationrandomizescheduletasktimes)
- [ScanOnlyIfIdleEnabled](#configurationscanonlyifidleenabled)
- [SchedulerRandomizationTime](#configurationschedulerrandomizationtime)
- [SecurityIntelligenceUpdatesChannel](#configurationsecurityintelligenceupdateschannel)
- [SupportLogLocation](#configurationsupportloglocation)
- [TamperProtection](#configurationtamperprotection)
- [ThrottleForScheduledScanOnly](#configurationthrottleforscheduledscanonly)
- [Detections](#detections)
- [{ThreatId}](#detectionsthreatid)
- [Category](#detectionsthreatidcategory)
- [CurrentStatus](#detectionsthreatidcurrentstatus)
- [ExecutionStatus](#detectionsthreatidexecutionstatus)
- [InitialDetectionTime](#detectionsthreatidinitialdetectiontime)
- [LastThreatStatusChangeTime](#detectionsthreatidlastthreatstatuschangetime)
- [Name](#detectionsthreatidname)
- [NumberOfDetections](#detectionsthreatidnumberofdetections)
- [Severity](#detectionsthreatidseverity)
- [URL](#detectionsthreatidurl)
- [Health](#health)
- [ComputerState](#healthcomputerstate)
- [DefenderEnabled](#healthdefenderenabled)
- [DefenderVersion](#healthdefenderversion)
- [EngineVersion](#healthengineversion)
- [FullScanOverdue](#healthfullscanoverdue)
- [FullScanRequired](#healthfullscanrequired)
- [FullScanSigVersion](#healthfullscansigversion)
- [FullScanTime](#healthfullscantime)
- [IsVirtualMachine](#healthisvirtualmachine)
- [NisEnabled](#healthnisenabled)
- [ProductStatus](#healthproductstatus)
- [QuickScanOverdue](#healthquickscanoverdue)
- [QuickScanSigVersion](#healthquickscansigversion)
- [QuickScanTime](#healthquickscantime)
- [RebootRequired](#healthrebootrequired)
- [RtpEnabled](#healthrtpenabled)
- [SignatureOutOfDate](#healthsignatureoutofdate)
- [SignatureVersion](#healthsignatureversion)
- [TamperProtectionEnabled](#healthtamperprotectionenabled)
- [OfflineScan](#offlinescan)
- [RollbackEngine](#rollbackengine)
- [RollbackPlatform](#rollbackplatform)
- [Scan](#scan)
- [UpdateSignature](#updatesignature)
<!-- Defender-Tree-End -->
<!-- Device-Configuration-Begin -->
@ -633,7 +631,7 @@ Control Device Control default enforcement. This is the enforcement applied if t
<!-- Device-Configuration-DeviceControl-PolicyGroups-{GroupId}-GroupData-Description-Begin -->
<!-- Description-Source-DDF -->
Follow the instructions provided here: <https://learn.microsoft.com/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control>
For more information, see [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control).
<!-- Device-Configuration-DeviceControl-PolicyGroups-{GroupId}-GroupData-Description-End -->
<!-- Device-Configuration-DeviceControl-PolicyGroups-{GroupId}-GroupData-Editable-Begin -->
@ -748,7 +746,7 @@ Follow the instructions provided here: <https://learn.microsoft.com/microsoft-36
<!-- Device-Configuration-DeviceControl-PolicyRules-{RuleId}-RuleData-Description-Begin -->
<!-- Description-Source-DDF -->
Follow the instructions provided here: <https://learn.microsoft.com/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control>
For more information, see [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control).
<!-- Device-Configuration-DeviceControl-PolicyRules-{RuleId}-RuleData-Description-End -->
<!-- Device-Configuration-DeviceControl-PolicyRules-{RuleId}-RuleData-Editable-Begin -->
@ -1795,9 +1793,9 @@ Setting to control automatic remediation for Sense scans.
| Flag | Description |
|:--|:--|
| 0x1 | |
| 0x2 | |
| 0x4 | |
| 0x1 | PASSIVE_REMEDIATION_FLAG_SENSE_AUTO_REMEDIATION: Passive Remediation Sense AutoRemediation. |
| 0x2 | PASSIVE_REMEDIATION_FLAG_RTP_AUDIT: Passive Remediation Realtime Protection Audit. |
| 0x4 | PASSIVE_REMEDIATION_FLAG_RTP_REMEDIATION: Passive Remediation Realtime Protection Remediation. |
<!-- Device-Configuration-PassiveRemediation-AllowedValues-End -->
<!-- Device-Configuration-PassiveRemediation-Examples-Begin -->

86
windows/client-management/mdm/diagnosticlog-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the DiagnosticLog CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 02/21/2023
ms.date: 02/28/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -21,49 +21,47 @@ ms.topic: reference
<!-- DiagnosticLog-Editable-End -->
<!-- DiagnosticLog-Tree-Begin -->
The following example shows the DiagnosticLog configuration service provider in tree format.
The following list shows the DiagnosticLog configuration service provider nodes:
```text
./Vendor/MSFT/DiagnosticLog
--- DeviceStateData
------ MdmConfiguration
--- DiagnosticArchive
------ ArchiveDefinition
------ ArchiveResults
--- EtwLog
------ Channels
--------- {ChannelName}
------------ Export
------------ Filter
------------ State
------ Collectors
--------- {CollectorName}
------------ LogFileSizeLimitMB
------------ Providers
--------------- {ProviderGuid}
------------------ Keywords
------------------ State
------------------ TraceLevel
------------ TraceControl
------------ TraceLogFileMode
------------ TraceStatus
--- FileDownload
------ DMChannel
--------- {FileContext}
------------ BlockCount
------------ BlockData
------------ BlockIndexToRead
------------ BlockSizeKB
------------ DataBlocks
--------------- {BlockNumber}
--- Policy
------ Channels
--------- {ChannelName}
------------ ActionWhenFull
------------ Enabled
------------ MaximumFileSize
------------ SDDL
```
- ./Vendor/MSFT/DiagnosticLog
- [DeviceStateData](#devicestatedata)
- [MdmConfiguration](#devicestatedatamdmconfiguration)
- [DiagnosticArchive](#diagnosticarchive)
- [ArchiveDefinition](#diagnosticarchivearchivedefinition)
- [ArchiveResults](#diagnosticarchivearchiveresults)
- [EtwLog](#etwlog)
- [Channels](#etwlogchannels)
- [{ChannelName}](#etwlogchannelschannelname)
- [Export](#etwlogchannelschannelnameexport)
- [Filter](#etwlogchannelschannelnamefilter)
- [State](#etwlogchannelschannelnamestate)
- [Collectors](#etwlogcollectors)
- [{CollectorName}](#etwlogcollectorscollectorname)
- [LogFileSizeLimitMB](#etwlogcollectorscollectornamelogfilesizelimitmb)
- [Providers](#etwlogcollectorscollectornameproviders)
- [{ProviderGuid}](#etwlogcollectorscollectornameprovidersproviderguid)
- [Keywords](#etwlogcollectorscollectornameprovidersproviderguidkeywords)
- [State](#etwlogcollectorscollectornameprovidersproviderguidstate)
- [TraceLevel](#etwlogcollectorscollectornameprovidersproviderguidtracelevel)
- [TraceControl](#etwlogcollectorscollectornametracecontrol)
- [TraceLogFileMode](#etwlogcollectorscollectornametracelogfilemode)
- [TraceStatus](#etwlogcollectorscollectornametracestatus)
- [FileDownload](#filedownload)
- [DMChannel](#filedownloaddmchannel)
- [{FileContext}](#filedownloaddmchannelfilecontext)
- [BlockCount](#filedownloaddmchannelfilecontextblockcount)
- [BlockData](#filedownloaddmchannelfilecontextblockdata)
- [BlockIndexToRead](#filedownloaddmchannelfilecontextblockindextoread)
- [BlockSizeKB](#filedownloaddmchannelfilecontextblocksizekb)
- [DataBlocks](#filedownloaddmchannelfilecontextdatablocks)
- [{BlockNumber}](#filedownloaddmchannelfilecontextdatablocksblocknumber)
- [Policy](#policy)
- [Channels](#policychannels)
- [{ChannelName}](#policychannelschannelname)
- [ActionWhenFull](#policychannelschannelnameactionwhenfull)
- [Enabled](#policychannelschannelnameenabled)
- [MaximumFileSize](#policychannelschannelnamemaximumfilesize)
- [SDDL](#policychannelschannelnamesddl)
<!-- DiagnosticLog-Tree-End -->
<!-- Device-DeviceStateData-Begin -->
@ -2659,7 +2657,7 @@ Maximum size of the channel log file in MB.
<!-- Device-Policy-Channels-{ChannelName}-SDDL-Description-Begin -->
<!-- Description-Source-DDF -->
SDDL String controlling access to the channel. Default: <https://docs.microsoft.com/windows/desktop/WES/eventmanifestschema-channeltype-complextype>
SDDL String controlling access to the channel. For more information, see [ChannelType Complex Type](/windows/win32/wes/eventmanifestschema-channeltype-complextype).
<!-- Device-Policy-Channels-{ChannelName}-SDDL-Description-End -->
<!-- Device-Policy-Channels-{ChannelName}-SDDL-Editable-Begin -->

117
windows/client-management/mdm/eap-configuration.md
View File

@ -19,45 +19,45 @@ This article provides a step-by-step guide for creating an Extensible Authentica
To get the EAP configuration from your desktop using the rasphone tool that is shipped in the box:
1. Run rasphone.exe.
1. Run rasphone.exe.
![vpnv2 rasphone.](images/vpnv2-csp-rasphone.png)
1. If you don't currently have a VPN connection and you see the following message, select **OK**.
1. If you don't currently have a VPN connection and you see the following message, select **OK**.
![vpnv2 csp network connections.](images/vpnv2-csp-networkconnections.png)
1. In the wizard, select **Workplace network**.
1. In the wizard, select **Workplace network**.
![vpnv2 csp set up connection.](images/vpnv2-csp-setupnewconnection.png)
1. Enter an Internet address and connection name. These details can be fake since it doesn't impact the authentication parameters.
1. Enter an Internet address and connection name. These details can be fake since it doesn't impact the authentication parameters.
![vpnv2 csp set up connection 2.](images/vpnv2-csp-setupnewconnection2.png)
1. Create a fake VPN connection. In the UI shown here, select **Properties**.
1. Create a fake VPN connection. In the UI shown here, select **Properties**.
![vpnv2 csp choose nw connection.](images/vpnv2-csp-choosenetworkconnection.png)
1. In the **Test Properties** dialog, select the **Security** tab.
1. In the **Test Properties** dialog, select the **Security** tab.
![vpnv2 csp test props.](images/vpnv2-csp-testproperties.png)
1. On the **Security** tab, select **Use Extensible Authentication Protocol (EAP)**.
1. On the **Security** tab, select **Use Extensible Authentication Protocol (EAP)**.
![vpnv2 csp test props2.](images/vpnv2-csp-testproperties2.png)
1. From the drop-down menu, select the EAP method that you want to configure, and then select **Properties** to configure as needed.
1. From the drop-down menu, select the EAP method that you want to configure, and then select **Properties** to configure as needed.
![vpnv2 csp test props3.](images/vpnv2-csp-testproperties3.png)![vpnv2 csp test props4](images/vpnv2-csp-testproperties4.png)
1. Switch over to PowerShell and use the following cmdlets to retrieve the EAP configuration XML.
1. Switch over to PowerShell and use the following cmdlets to retrieve the EAP configuration XML.
```powershell
Get-VpnConnection -Name Test
```
<a href="" id="pow"></a>Here's an example output.
Here's an example output.
``` syntax
Name : Test
@ -88,26 +88,46 @@ To get the EAP configuration from your desktop using the rasphone tool that is s
Here's an example output.
```xml
<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://www.microsoft.co
m/provisioning/EapCommon">13</Type><VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId><VendorTy
pe xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://www.microsoft.com/provisi
oning/EapCommon">0</AuthorId></EapMethod><Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><Eap xmlns="h
ttp://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>13</Type><EapType xmlns="http://www.microsoft.co
m/provisioning/EapTlsConnectionPropertiesV1"><CredentialsSource><CertificateStore><SimpleCertSelection>true</SimpleCertSel
ection></CertificateStore></CredentialsSource><ServerValidation><DisableUserPromptForServerValidation>false</DisableUserPr
omptForServerValidation><ServerNames></ServerNames></ServerValidation><DifferentUsername>false</DifferentUsername><Perform
ServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</PerformServerValidation>
<AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</AcceptServerName><TLSEx
tensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2"><FilteringInfo xmlns="http://www.micro
soft.com/provisioning/EapTlsConnectionPropertiesV3"><ClientAuthEKUList Enabled="true" /><AnyPurposeEKUList Enabled="true"
/></FilteringInfo></TLSExtensions></EapType></Eap></Config></EapHostConfig>
<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<EapMethod>
<Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type>
<VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
<VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
<AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
</EapMethod>
<Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
<Type>13</Type>
<EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1">
<CredentialsSource>
<CertificateStore>
<SimpleCertSelection>true</SimpleCertSelection>
</CertificateStore>
</CredentialsSource>
<ServerValidation>
<DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation>
<ServerNames />
</ServerValidation>
<DifferentUsername>false</DifferentUsername>
<PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</PerformServerValidation>
<AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</AcceptServerName>
<TLSExtensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">
<FilteringInfo xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3">
<ClientAuthEKUList Enabled="true" />
<AnyPurposeEKUList Enabled="true" />
</FilteringInfo>
</TLSExtensions>
</EapType>
</Eap>
</Config>
</EapHostConfig>
```
> [!NOTE]
> You should check with Mobile Device Management (MDM) vendor, if you need to pass this XML in escaped format. The XSDs for all EAP methods are shipped in the box and can be found at the following locations:
> - C:\\Windows\\schemas\\EAPHost
> - C:\\Windows\\schemas\\EAPMethods
>
> - C:\\Windows\\schemas\\EAPHost
> - C:\\Windows\\schemas\\EAPMethods
## EAP certificate filtering
@ -115,15 +135,15 @@ In your deployment, if you have multiple certificates provisioned on the device
Enterprises deploying certificate-based EAP authentication for VPN and Wi-Fi can encounter a situation where there are multiple certificates that meet the default criteria for authentication. This situation can lead to issues such as:
- The user might be prompted to select the certificate.
- The wrong certificate might be auto-selected and cause an authentication failure.
- The user might be prompted to select the certificate.
- The wrong certificate might be auto-selected and cause an authentication failure.
A production ready deployment must have appropriate certificate details as part of the profile being deployed. The following information explains how to create or update an EAP configuration XML such that the extraneous certificates are filtered out and appropriate certificate can be used for the authentication.
EAP XML must be updated with relevant information for your environment. This task can be done manually by editing the following XML sample or by using the step-by-step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows:
- For Wi-Fi, look for the `<EAPConfig>` section of your current WLAN Profile XML. (This section is what you specify for the WLanXml node in the Wi-Fi CSP.) Within these tags, you'll find the complete EAP configuration. Replace the section under `<EAPConfig>` with your updated XML and update your Wi-Fi profile. You can refer to your MDMs guidance on how to deploy a new Wi-Fi profile.
- For VPN, EAP configuration is a separate field in the MDM configuration. Work with your MDM provider to identify and update the appropriate field.
- For Wi-Fi, look for the `<EAPConfig>` section of your current WLAN Profile XML. (This section is what you specify for the WLanXml node in the Wi-Fi CSP.) Within these tags, you'll find the complete EAP configuration. Replace the section under `<EAPConfig>` with your updated XML and update your Wi-Fi profile. You can refer to your MDMs guidance on how to deploy a new Wi-Fi profile.
- For VPN, EAP configuration is a separate field in the MDM configuration. Work with your MDM provider to identify and update the appropriate field.
For information about EAP settings, see <https://technet.microsoft.com/library/hh945104.aspx#BKMK_Cfg_cert_Selct>.
@ -135,23 +155,22 @@ For information about adding EKU to a certificate, see <https://technet.microsof
The following list describes the prerequisites for a certificate to be used with EAP:
- The certificate must have at least one of the following EKU properties:
- The certificate must have at least one of the following EKU properties:
- Client Authentication: As defined by RFC 5280, this property is a well-defined OID with value 1.3.6.1.5.5.7.3.2.
- Any Purpose: This property is an EKU-defined one and is published by Microsoft. It is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that other non-critical or custom EKUs can still be added to the certificate for effective filtering.
- All Purpose: As defined by RFC 5280, if a CA includes EKUs to satisfy some application needs, but doesn't want to restrict usage of the key, the CA can add an EKU value of 0. A certificate with such an EKU can be used for all purposes.
- Client Authentication: As defined by RFC 5280, this property is a well-defined OID with value 1.3.6.1.5.5.7.3.2.
- Any Purpose: This property is an EKU-defined one and is published by Microsoft. It is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that other non-critical or custom EKUs can still be added to the certificate for effective filtering.
- All Purpose: As defined by RFC 5280, if a CA includes EKUs to satisfy some application needs, but doesn't want to restrict usage of the key, the CA can add an EKU value of 0. A certificate with such an EKU can be used for all purposes.
- The user or the computer certificate on the client must chain to a trusted root CA.
- The user or the computer certificate doesn't fail any one of the checks that are performed by the CryptoAPI certificate store, and the certificate passes requirements in the remote access policy.
- The user or the computer certificate doesn't fail any one of the certificate object identifier checks that are specified in the Internet Authentication Service (IAS)/Radius Server.
- The Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN) of the user.
- The user or the computer certificate on the client must chain to a trusted root CA.
- The user or the computer certificate doesn't fail any one of the checks that are performed by the CryptoAPI certificate store, and the certificate passes requirements in the remote access policy.
- The user or the computer certificate doesn't fail any one of the certificate object identifier checks that are specified in the Internet Authentication Service (IAS)/Radius Server.
- The Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN) of the user.
The following XML sample explains the properties for the EAP TLS XML, including certificate filtering.
> [!NOTE]
> For PEAP or TTLS profiles, the EAP TLS XML is embedded within some PEAP-specific or TTLS-specific elements.
 
```xml
<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<EapMethod>
@ -254,36 +273,32 @@ The following XML sample explains the properties for the EAP TLS XML, including
> [!NOTE]
> The EAP TLS XSD is located at %systemdrive%\\Windows\\schemas\\EAPMethods\\eaptlsconnectionpropertiesv3.xsd.
 
Alternatively, you can use the following procedure to create an EAP configuration XML:
1. Follow steps 1 through 7 in the EAP configuration article.
1. In the **Microsoft VPN SelfHost Properties** dialog box, select **Microsoft: Smart Card or other Certificate** from the drop-down menu (this value selects EAP TLS).
1. Follow steps 1 through 7 in the EAP configuration article.
1. In the **Microsoft VPN SelfHost Properties** dialog box, select **Microsoft: Smart Card or other Certificate** from the drop-down menu (this value selects EAP TLS).
![vpn self host properties window.](images/certfiltering1.png)
> [!NOTE]
> For PEAP or TTLS, select the appropriate method and continue following this procedure.
 
1. Select the **Properties** button underneath the drop-down menu.
1. On the **Smart Card or other Certificate Properties** menu, select the **Advanced** button.
1. Select the **Properties** button underneath the drop-down menu.
1. On the **Smart Card or other Certificate Properties** menu, select the **Advanced** button.
![smart card or other certificate properties window.](images/certfiltering2.png)
1. On the **Configure Certificate Selection** menu, adjust the filters as needed.
1. On the **Configure Certificate Selection** menu, adjust the filters as needed.
![configure certificate window.](images/certfiltering3.png)
1. Select **OK** to close the windows and get back to the main rasphone.exe dialog box.
1. Close the rasphone dialog box.
1. Continue following the procedure in the EAP configuration article from step 9 to get an EAP TLS profile with appropriate filtering.
1. Select **OK** to close the windows and get back to the main rasphone.exe dialog box.
1. Close the rasphone dialog box.
1. Continue following the procedure in the EAP configuration article from step 9 to get an EAP TLS profile with appropriate filtering.
> [!NOTE]
> You can also set all the other applicable EAP Properties through this UI as well. A guide for what these properties mean can be found in the [Extensible Authentication Protocol (EAP) Settings for Network Access](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh945104(v=ws.11)) article.
## Related topics
[Configuration service provider reference](index.yml)

136
windows/client-management/mdm/surfacehub-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the SurfaceHub CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 02/24/2023
ms.date: 02/28/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -25,74 +25,72 @@ The SurfaceHub configuration service provider (CSP) is used to configure Microso
<!-- SurfaceHub-Editable-End -->
<!-- SurfaceHub-Tree-Begin -->
The following example shows the SurfaceHub configuration service provider in tree format.
The following list shows the SurfaceHub configuration service provider nodes:
```text
./Vendor/MSFT/SurfaceHub
--- AutopilotSelfdeploy
------ FriendlyName
------ Password
------ UserPrincipalName
--- DeviceAccount
------ CalendarSyncEnabled
------ DomainName
------ Email
------ ErrorContext
------ ExchangeModernAuthEnabled
------ ExchangeServer
------ Password
------ PasswordRotationPeriod
------ SipAddress
------ UserName
------ UserPrincipalName
------ ValidateAndCommit
--- Dot3
------ EapUserData
------ LanProfile
--- InBoxApps
------ Connect
--------- AutoLaunch
------ SkypeForBusiness
--------- DomainName
------ Teams
--------- Configurations
------ Welcome
--------- AutoWakeScreen
--------- CurrentBackgroundPath
--------- MeetingInfoOption
------ Whiteboard
--------- SharingDisabled
--------- SignInDisabled
--------- TelemetryDisabled
------ WirelessProjection
--------- Channel
--------- Enabled
--------- PINRequired
--- MaintenanceHoursSimple
------ Hours
--------- Duration
--------- StartTime
--- Management
------ GroupName
------ GroupSid
--- MOMAgent
------ WorkspaceID
------ WorkspaceKey
--- Properties
------ AllowAutoProxyAuth
------ AllowSessionResume
------ DefaultVolume
------ DisableSigninSuggestions
------ DoNotShowMyMeetingsAndFiles
------ FriendlyName
------ ProxyServers
------ ScreenTimeout
------ SessionTimeout
------ SleepMode
------ SleepTimeout
------ SurfaceHubMeetingMode
------ VtcAppPackageId
```
- ./Vendor/MSFT/SurfaceHub
- [AutopilotSelfdeploy](#autopilotselfdeploy)
- [FriendlyName](#autopilotselfdeployfriendlyname)
- [Password](#autopilotselfdeploypassword)
- [UserPrincipalName](#autopilotselfdeployuserprincipalname)
- [DeviceAccount](#deviceaccount)
- [CalendarSyncEnabled](#deviceaccountcalendarsyncenabled)
- [DomainName](#deviceaccountdomainname)
- [Email](#deviceaccountemail)
- [ErrorContext](#deviceaccounterrorcontext)
- [ExchangeModernAuthEnabled](#deviceaccountexchangemodernauthenabled)
- [ExchangeServer](#deviceaccountexchangeserver)
- [Password](#deviceaccountpassword)
- [PasswordRotationPeriod](#deviceaccountpasswordrotationperiod)
- [SipAddress](#deviceaccountsipaddress)
- [UserName](#deviceaccountusername)
- [UserPrincipalName](#deviceaccountuserprincipalname)
- [ValidateAndCommit](#deviceaccountvalidateandcommit)
- [Dot3](#dot3)
- [EapUserData](#dot3eapuserdata)
- [LanProfile](#dot3lanprofile)
- [InBoxApps](#inboxapps)
- [Connect](#inboxappsconnect)
- [AutoLaunch](#inboxappsconnectautolaunch)
- [SkypeForBusiness](#inboxappsskypeforbusiness)
- [DomainName](#inboxappsskypeforbusinessdomainname)
- [Teams](#inboxappsteams)
- [Configurations](#inboxappsteamsconfigurations)
- [Welcome](#inboxappswelcome)
- [AutoWakeScreen](#inboxappswelcomeautowakescreen)
- [CurrentBackgroundPath](#inboxappswelcomecurrentbackgroundpath)
- [MeetingInfoOption](#inboxappswelcomemeetinginfooption)
- [Whiteboard](#inboxappswhiteboard)
- [SharingDisabled](#inboxappswhiteboardsharingdisabled)
- [SignInDisabled](#inboxappswhiteboardsignindisabled)
- [TelemetryDisabled](#inboxappswhiteboardtelemetrydisabled)
- [WirelessProjection](#inboxappswirelessprojection)
- [Channel](#inboxappswirelessprojectionchannel)
- [Enabled](#inboxappswirelessprojectionenabled)
- [PINRequired](#inboxappswirelessprojectionpinrequired)
- [MaintenanceHoursSimple](#maintenancehourssimple)
- [Hours](#maintenancehourssimplehours)
- [Duration](#maintenancehourssimplehoursduration)
- [StartTime](#maintenancehourssimplehoursstarttime)
- [Management](#management)
- [GroupName](#managementgroupname)
- [GroupSid](#managementgroupsid)
- [MOMAgent](#momagent)
- [WorkspaceID](#momagentworkspaceid)
- [WorkspaceKey](#momagentworkspacekey)
- [Properties](#properties)
- [AllowAutoProxyAuth](#propertiesallowautoproxyauth)
- [AllowSessionResume](#propertiesallowsessionresume)
- [DefaultVolume](#propertiesdefaultvolume)
- [DisableSigninSuggestions](#propertiesdisablesigninsuggestions)
- [DoNotShowMyMeetingsAndFiles](#propertiesdonotshowmymeetingsandfiles)
- [FriendlyName](#propertiesfriendlyname)
- [ProxyServers](#propertiesproxyservers)
- [ScreenTimeout](#propertiesscreentimeout)
- [SessionTimeout](#propertiessessiontimeout)
- [SleepMode](#propertiessleepmode)
- [SleepTimeout](#propertiessleeptimeout)
- [SurfaceHubMeetingMode](#propertiessurfacehubmeetingmode)
- [VtcAppPackageId](#propertiesvtcapppackageid)
<!-- SurfaceHub-Tree-End -->
<!-- Device-AutopilotSelfdeploy-Begin -->
@ -1148,7 +1146,7 @@ Node for the Skype for Business settings.
<!-- Device-InBoxApps-SkypeForBusiness-DomainName-Description-Begin -->
<!-- Description-Source-DDF -->
Specifies the domain of the Skype for Business account when you are using Active Directory. For more information, see <https://docs.microsoft.com/SkypeForBusiness/set-up-skype-for-business-online/set-up-skype-for-business-online?redirectSourcePath=%252fen-us%252farticle%252fSet-up-Skype-for-Business-Online-40296968-e779-4259-980b-c2de1c044c6e#bkmk_users>
Specifies the domain of the Skype for Business account when you are using Active Directory. For more information, see [Set up your domain and users](/skypeforbusiness/set-up-skype-for-business-online/set-up-skype-for-business-online#3-set-up-your-domain-and-users).
<!-- Device-InBoxApps-SkypeForBusiness-DomainName-Description-End -->
<!-- Device-InBoxApps-SkypeForBusiness-DomainName-Editable-Begin -->

418
windows/client-management/mdm/vpnv2-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the VPNv2 CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 02/27/2023
ms.date: 02/28/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -36,214 +36,212 @@ The XSDs for all EAP methods are shipped in the box and can be found at the foll
<!-- VPNv2-Editable-End -->
<!-- VPNv2-Tree-Begin -->
The following example shows the VPNv2 configuration service provider in tree format.
The following list shows the VPNv2 configuration service provider nodes:
```text
./Device/Vendor/MSFT/VPNv2
--- {ProfileName}
------ AlwaysOn
------ AlwaysOnActive
------ APNBinding
--------- AccessPointName
--------- AuthenticationType
--------- IsCompressionEnabled
--------- Password
--------- ProviderId
--------- UserName
------ AppTriggerList
--------- {appTriggerRowId}
------------ App
--------------- Id
--------------- Type
------ ByPassForLocal
------ DataEncryption
------ DeviceCompliance
--------- Enabled
--------- Sso
------------ Eku
------------ Enabled
------------ IssuerHash
------ DeviceTunnel
------ DisableAdvancedOptionsEditButton
------ DisableDisconnectButton
------ DisableIKEv2Fragmentation
------ DnsSuffix
------ DomainNameInformationList
--------- {dniRowId}
------------ AutoTrigger
------------ DnsServers
------------ DomainName
------------ DomainNameType
------------ Persistent
------------ WebProxyServers
------ EdpModeId
------ IPv4InterfaceMetric
------ IPv6InterfaceMetric
------ NativeProfile
--------- Authentication
------------ Certificate
--------------- Eku
--------------- Issuer
------------ Eap
--------------- Configuration
--------------- Type
------------ MachineMethod
------------ UserMethod
--------- CryptographySuite
------------ AuthenticationTransformConstants
------------ CipherTransformConstants
------------ DHGroup
------------ EncryptionMethod
------------ IntegrityCheckMethod
------------ PfsGroup
--------- DisableClassBasedDefaultRoute
--------- L2tpPsk
--------- NativeProtocolType
--------- PlumbIKEv2TSAsRoutes
--------- ProtocolList
------------ NativeProtocolList
--------------- {NativeProtocolRowId}
------------------ Type
------------ RetryTimeInHours
--------- RoutingPolicyType
--------- Servers
------ NetworkOutageTime
------ PluginProfile
--------- CustomConfiguration
--------- PluginPackageFamilyName
--------- ServerUrlList
------ PrivateNetwork
------ ProfileXML
------ Proxy
--------- AutoConfigUrl
--------- Manual
------------ Server
------ RegisterDNS
------ RememberCredentials
------ RouteList
--------- {routeRowId}
------------ Address
------------ ExclusionRoute
------------ Metric
------------ PrefixSize
------ TrafficFilterList
--------- {trafficFilterId}
------------ App
--------------- Id
--------------- Type
------------ Claims
------------ Direction
------------ LocalAddressRanges
------------ LocalPortRanges
------------ Protocol
------------ RemoteAddressRanges
------------ RemotePortRanges
------------ RoutingPolicyType
------ TrustedNetworkDetection
------ UseRasCredentials
./User/Vendor/MSFT/VPNv2
--- {ProfileName}
------ AlwaysOn
------ AlwaysOnActive
------ APNBinding
--------- AccessPointName
--------- AuthenticationType
--------- IsCompressionEnabled
--------- Password
--------- ProviderId
--------- UserName
------ AppTriggerList
--------- {appTriggerRowId}
------------ App
--------------- Id
--------------- Type
------ ByPassForLocal
------ DataEncryption
------ DeviceCompliance
--------- Enabled
--------- Sso
------------ Eku
------------ Enabled
------------ IssuerHash
------ DisableAdvancedOptionsEditButton
------ DisableDisconnectButton
------ DisableIKEv2Fragmentation
------ DnsSuffix
------ DomainNameInformationList
--------- {dniRowId}
------------ AutoTrigger
------------ DnsServers
------------ DomainName
------------ DomainNameType
------------ Persistent
------------ WebProxyServers
------ EdpModeId
------ IPv4InterfaceMetric
------ IPv6InterfaceMetric
------ NativeProfile
--------- Authentication
------------ Certificate
--------------- Eku
--------------- Issuer
------------ Eap
--------------- Configuration
--------------- Type
------------ MachineMethod
------------ UserMethod
--------- CryptographySuite
------------ AuthenticationTransformConstants
------------ CipherTransformConstants
------------ DHGroup
------------ EncryptionMethod
------------ IntegrityCheckMethod
------------ PfsGroup
--------- DisableClassBasedDefaultRoute
--------- L2tpPsk
--------- NativeProtocolType
--------- PlumbIKEv2TSAsRoutes
--------- ProtocolList
------------ NativeProtocolList
--------------- {NativeProtocolRowId}
------------------ Type
------------ RetryTimeInHours
--------- RoutingPolicyType
--------- Servers
------ NetworkOutageTime
------ PluginProfile
--------- CustomConfiguration
--------- PluginPackageFamilyName
--------- ServerUrlList
------ PrivateNetwork
------ ProfileXML
------ Proxy
--------- AutoConfigUrl
--------- Manual
------------ Server
------ RegisterDNS
------ RememberCredentials
------ RequireVpnClientAppUI
------ RouteList
--------- {routeRowId}
------------ Address
------------ ExclusionRoute
------------ Metric
------------ PrefixSize
------ TrafficFilterList
--------- {trafficFilterId}
------------ App
--------------- Id
--------------- Type
------------ Claims
------------ Direction
------------ LocalAddressRanges
------------ LocalPortRanges
------------ Protocol
------------ RemoteAddressRanges
------------ RemotePortRanges
------------ RoutingPolicyType
------ TrustedNetworkDetection
------ UseRasCredentials
```
- ./Device/Vendor/MSFT/VPNv2
- [{ProfileName}](#deviceprofilename)
- [AlwaysOn](#deviceprofilenamealwayson)
- [AlwaysOnActive](#deviceprofilenamealwaysonactive)
- [APNBinding](#deviceprofilenameapnbinding)
- [AccessPointName](#deviceprofilenameapnbindingaccesspointname)
- [AuthenticationType](#deviceprofilenameapnbindingauthenticationtype)
- [IsCompressionEnabled](#deviceprofilenameapnbindingiscompressionenabled)
- [Password](#deviceprofilenameapnbindingpassword)
- [ProviderId](#deviceprofilenameapnbindingproviderid)
- [UserName](#deviceprofilenameapnbindingusername)
- [AppTriggerList](#deviceprofilenameapptriggerlist)
- [{appTriggerRowId}](#deviceprofilenameapptriggerlistapptriggerrowid)
- [App](#deviceprofilenameapptriggerlistapptriggerrowidapp)
- [Id](#deviceprofilenameapptriggerlistapptriggerrowidappid)
- [Type](#deviceprofilenameapptriggerlistapptriggerrowidapptype)
- [ByPassForLocal](#deviceprofilenamebypassforlocal)
- [DataEncryption](#deviceprofilenamedataencryption)
- [DeviceCompliance](#deviceprofilenamedevicecompliance)
- [Enabled](#deviceprofilenamedevicecomplianceenabled)
- [Sso](#deviceprofilenamedevicecompliancesso)
- [Eku](#deviceprofilenamedevicecompliancessoeku)
- [Enabled](#deviceprofilenamedevicecompliancessoenabled)
- [IssuerHash](#deviceprofilenamedevicecompliancessoissuerhash)
- [DeviceTunnel](#deviceprofilenamedevicetunnel)
- [DisableAdvancedOptionsEditButton](#deviceprofilenamedisableadvancedoptionseditbutton)
- [DisableDisconnectButton](#deviceprofilenamedisabledisconnectbutton)
- [DisableIKEv2Fragmentation](#deviceprofilenamedisableikev2fragmentation)
- [DnsSuffix](#deviceprofilenamednssuffix)
- [DomainNameInformationList](#deviceprofilenamedomainnameinformationlist)
- [{dniRowId}](#deviceprofilenamedomainnameinformationlistdnirowid)
- [AutoTrigger](#deviceprofilenamedomainnameinformationlistdnirowidautotrigger)
- [DnsServers](#deviceprofilenamedomainnameinformationlistdnirowiddnsservers)
- [DomainName](#deviceprofilenamedomainnameinformationlistdnirowiddomainname)
- [DomainNameType](#deviceprofilenamedomainnameinformationlistdnirowiddomainnametype)
- [Persistent](#deviceprofilenamedomainnameinformationlistdnirowidpersistent)
- [WebProxyServers](#deviceprofilenamedomainnameinformationlistdnirowidwebproxyservers)
- [EdpModeId](#deviceprofilenameedpmodeid)
- [IPv4InterfaceMetric](#deviceprofilenameipv4interfacemetric)
- [IPv6InterfaceMetric](#deviceprofilenameipv6interfacemetric)
- [NativeProfile](#deviceprofilenamenativeprofile)
- [Authentication](#deviceprofilenamenativeprofileauthentication)
- [Certificate](#deviceprofilenamenativeprofileauthenticationcertificate)
- [Eku](#deviceprofilenamenativeprofileauthenticationcertificateeku)
- [Issuer](#deviceprofilenamenativeprofileauthenticationcertificateissuer)
- [Eap](#deviceprofilenamenativeprofileauthenticationeap)
- [Configuration](#deviceprofilenamenativeprofileauthenticationeapconfiguration)
- [Type](#deviceprofilenamenativeprofileauthenticationeaptype)
- [MachineMethod](#deviceprofilenamenativeprofileauthenticationmachinemethod)
- [UserMethod](#deviceprofilenamenativeprofileauthenticationusermethod)
- [CryptographySuite](#deviceprofilenamenativeprofilecryptographysuite)
- [AuthenticationTransformConstants](#deviceprofilenamenativeprofilecryptographysuiteauthenticationtransformconstants)
- [CipherTransformConstants](#deviceprofilenamenativeprofilecryptographysuiteciphertransformconstants)
- [DHGroup](#deviceprofilenamenativeprofilecryptographysuitedhgroup)
- [EncryptionMethod](#deviceprofilenamenativeprofilecryptographysuiteencryptionmethod)
- [IntegrityCheckMethod](#deviceprofilenamenativeprofilecryptographysuiteintegritycheckmethod)
- [PfsGroup](#deviceprofilenamenativeprofilecryptographysuitepfsgroup)
- [DisableClassBasedDefaultRoute](#deviceprofilenamenativeprofiledisableclassbaseddefaultroute)
- [L2tpPsk](#deviceprofilenamenativeprofilel2tppsk)
- [NativeProtocolType](#deviceprofilenamenativeprofilenativeprotocoltype)
- [PlumbIKEv2TSAsRoutes](#deviceprofilenamenativeprofileplumbikev2tsasroutes)
- [ProtocolList](#deviceprofilenamenativeprofileprotocollist)
- [NativeProtocolList](#deviceprofilenamenativeprofileprotocollistnativeprotocollist)
- [{NativeProtocolRowId}](#deviceprofilenamenativeprofileprotocollistnativeprotocollistnativeprotocolrowid)
- [Type](#deviceprofilenamenativeprofileprotocollistnativeprotocollistnativeprotocolrowidtype)
- [RetryTimeInHours](#deviceprofilenamenativeprofileprotocollistretrytimeinhours)
- [RoutingPolicyType](#deviceprofilenamenativeprofileroutingpolicytype)
- [Servers](#deviceprofilenamenativeprofileservers)
- [NetworkOutageTime](#deviceprofilenamenetworkoutagetime)
- [PluginProfile](#deviceprofilenamepluginprofile)
- [CustomConfiguration](#deviceprofilenamepluginprofilecustomconfiguration)
- [PluginPackageFamilyName](#deviceprofilenamepluginprofilepluginpackagefamilyname)
- [ServerUrlList](#deviceprofilenamepluginprofileserverurllist)
- [PrivateNetwork](#deviceprofilenameprivatenetwork)
- [ProfileXML](#deviceprofilenameprofilexml)
- [Proxy](#deviceprofilenameproxy)
- [AutoConfigUrl](#deviceprofilenameproxyautoconfigurl)
- [Manual](#deviceprofilenameproxymanual)
- [Server](#deviceprofilenameproxymanualserver)
- [RegisterDNS](#deviceprofilenameregisterdns)
- [RememberCredentials](#deviceprofilenameremembercredentials)
- [RouteList](#deviceprofilenameroutelist)
- [{routeRowId}](#deviceprofilenameroutelistrouterowid)
- [Address](#deviceprofilenameroutelistrouterowidaddress)
- [ExclusionRoute](#deviceprofilenameroutelistrouterowidexclusionroute)
- [Metric](#deviceprofilenameroutelistrouterowidmetric)
- [PrefixSize](#deviceprofilenameroutelistrouterowidprefixsize)
- [TrafficFilterList](#deviceprofilenametrafficfilterlist)
- [{trafficFilterId}](#deviceprofilenametrafficfilterlisttrafficfilterid)
- [App](#deviceprofilenametrafficfilterlisttrafficfilteridapp)
- [Id](#deviceprofilenametrafficfilterlisttrafficfilteridappid)
- [Type](#deviceprofilenametrafficfilterlisttrafficfilteridapptype)
- [Claims](#deviceprofilenametrafficfilterlisttrafficfilteridclaims)
- [Direction](#deviceprofilenametrafficfilterlisttrafficfilteriddirection)
- [LocalAddressRanges](#deviceprofilenametrafficfilterlisttrafficfilteridlocaladdressranges)
- [LocalPortRanges](#deviceprofilenametrafficfilterlisttrafficfilteridlocalportranges)
- [Protocol](#deviceprofilenametrafficfilterlisttrafficfilteridprotocol)
- [RemoteAddressRanges](#deviceprofilenametrafficfilterlisttrafficfilteridremoteaddressranges)
- [RemotePortRanges](#deviceprofilenametrafficfilterlisttrafficfilteridremoteportranges)
- [RoutingPolicyType](#deviceprofilenametrafficfilterlisttrafficfilteridroutingpolicytype)
- [TrustedNetworkDetection](#deviceprofilenametrustednetworkdetection)
- [UseRasCredentials](#deviceprofilenameuserascredentials)
- ./User/Vendor/MSFT/VPNv2
- [{ProfileName}](#userprofilename)
- [AlwaysOn](#userprofilenamealwayson)
- [AlwaysOnActive](#userprofilenamealwaysonactive)
- [APNBinding](#userprofilenameapnbinding)
- [AccessPointName](#userprofilenameapnbindingaccesspointname)
- [AuthenticationType](#userprofilenameapnbindingauthenticationtype)
- [IsCompressionEnabled](#userprofilenameapnbindingiscompressionenabled)
- [Password](#userprofilenameapnbindingpassword)
- [ProviderId](#userprofilenameapnbindingproviderid)
- [UserName](#userprofilenameapnbindingusername)
- [AppTriggerList](#userprofilenameapptriggerlist)
- [{appTriggerRowId}](#userprofilenameapptriggerlistapptriggerrowid)
- [App](#userprofilenameapptriggerlistapptriggerrowidapp)
- [Id](#userprofilenameapptriggerlistapptriggerrowidappid)
- [Type](#userprofilenameapptriggerlistapptriggerrowidapptype)
- [ByPassForLocal](#userprofilenamebypassforlocal)
- [DataEncryption](#userprofilenamedataencryption)
- [DeviceCompliance](#userprofilenamedevicecompliance)
- [Enabled](#userprofilenamedevicecomplianceenabled)
- [Sso](#userprofilenamedevicecompliancesso)
- [Eku](#userprofilenamedevicecompliancessoeku)
- [Enabled](#userprofilenamedevicecompliancessoenabled)
- [IssuerHash](#userprofilenamedevicecompliancessoissuerhash)
- [DisableAdvancedOptionsEditButton](#userprofilenamedisableadvancedoptionseditbutton)
- [DisableDisconnectButton](#userprofilenamedisabledisconnectbutton)
- [DisableIKEv2Fragmentation](#userprofilenamedisableikev2fragmentation)
- [DnsSuffix](#userprofilenamednssuffix)
- [DomainNameInformationList](#userprofilenamedomainnameinformationlist)
- [{dniRowId}](#userprofilenamedomainnameinformationlistdnirowid)
- [AutoTrigger](#userprofilenamedomainnameinformationlistdnirowidautotrigger)
- [DnsServers](#userprofilenamedomainnameinformationlistdnirowiddnsservers)
- [DomainName](#userprofilenamedomainnameinformationlistdnirowiddomainname)
- [DomainNameType](#userprofilenamedomainnameinformationlistdnirowiddomainnametype)
- [Persistent](#userprofilenamedomainnameinformationlistdnirowidpersistent)
- [WebProxyServers](#userprofilenamedomainnameinformationlistdnirowidwebproxyservers)
- [EdpModeId](#userprofilenameedpmodeid)
- [IPv4InterfaceMetric](#userprofilenameipv4interfacemetric)
- [IPv6InterfaceMetric](#userprofilenameipv6interfacemetric)
- [NativeProfile](#userprofilenamenativeprofile)
- [Authentication](#userprofilenamenativeprofileauthentication)
- [Certificate](#userprofilenamenativeprofileauthenticationcertificate)
- [Eku](#userprofilenamenativeprofileauthenticationcertificateeku)
- [Issuer](#userprofilenamenativeprofileauthenticationcertificateissuer)
- [Eap](#userprofilenamenativeprofileauthenticationeap)
- [Configuration](#userprofilenamenativeprofileauthenticationeapconfiguration)
- [Type](#userprofilenamenativeprofileauthenticationeaptype)
- [MachineMethod](#userprofilenamenativeprofileauthenticationmachinemethod)
- [UserMethod](#userprofilenamenativeprofileauthenticationusermethod)
- [CryptographySuite](#userprofilenamenativeprofilecryptographysuite)
- [AuthenticationTransformConstants](#userprofilenamenativeprofilecryptographysuiteauthenticationtransformconstants)
- [CipherTransformConstants](#userprofilenamenativeprofilecryptographysuiteciphertransformconstants)
- [DHGroup](#userprofilenamenativeprofilecryptographysuitedhgroup)
- [EncryptionMethod](#userprofilenamenativeprofilecryptographysuiteencryptionmethod)
- [IntegrityCheckMethod](#userprofilenamenativeprofilecryptographysuiteintegritycheckmethod)
- [PfsGroup](#userprofilenamenativeprofilecryptographysuitepfsgroup)
- [DisableClassBasedDefaultRoute](#userprofilenamenativeprofiledisableclassbaseddefaultroute)
- [L2tpPsk](#userprofilenamenativeprofilel2tppsk)
- [NativeProtocolType](#userprofilenamenativeprofilenativeprotocoltype)
- [PlumbIKEv2TSAsRoutes](#userprofilenamenativeprofileplumbikev2tsasroutes)
- [ProtocolList](#userprofilenamenativeprofileprotocollist)
- [NativeProtocolList](#userprofilenamenativeprofileprotocollistnativeprotocollist)
- [{NativeProtocolRowId}](#userprofilenamenativeprofileprotocollistnativeprotocollistnativeprotocolrowid)
- [Type](#userprofilenamenativeprofileprotocollistnativeprotocollistnativeprotocolrowidtype)
- [RetryTimeInHours](#userprofilenamenativeprofileprotocollistretrytimeinhours)
- [RoutingPolicyType](#userprofilenamenativeprofileroutingpolicytype)
- [Servers](#userprofilenamenativeprofileservers)
- [NetworkOutageTime](#userprofilenamenetworkoutagetime)
- [PluginProfile](#userprofilenamepluginprofile)
- [CustomConfiguration](#userprofilenamepluginprofilecustomconfiguration)
- [PluginPackageFamilyName](#userprofilenamepluginprofilepluginpackagefamilyname)
- [ServerUrlList](#userprofilenamepluginprofileserverurllist)
- [PrivateNetwork](#userprofilenameprivatenetwork)
- [ProfileXML](#userprofilenameprofilexml)
- [Proxy](#userprofilenameproxy)
- [AutoConfigUrl](#userprofilenameproxyautoconfigurl)
- [Manual](#userprofilenameproxymanual)
- [Server](#userprofilenameproxymanualserver)
- [RegisterDNS](#userprofilenameregisterdns)
- [RememberCredentials](#userprofilenameremembercredentials)
- [RequireVpnClientAppUI](#userprofilenamerequirevpnclientappui)
- [RouteList](#userprofilenameroutelist)
- [{routeRowId}](#userprofilenameroutelistrouterowid)
- [Address](#userprofilenameroutelistrouterowidaddress)
- [ExclusionRoute](#userprofilenameroutelistrouterowidexclusionroute)
- [Metric](#userprofilenameroutelistrouterowidmetric)
- [PrefixSize](#userprofilenameroutelistrouterowidprefixsize)
- [TrafficFilterList](#userprofilenametrafficfilterlist)
- [{trafficFilterId}](#userprofilenametrafficfilterlisttrafficfilterid)
- [App](#userprofilenametrafficfilterlisttrafficfilteridapp)
- [Id](#userprofilenametrafficfilterlisttrafficfilteridappid)
- [Type](#userprofilenametrafficfilterlisttrafficfilteridapptype)
- [Claims](#userprofilenametrafficfilterlisttrafficfilteridclaims)
- [Direction](#userprofilenametrafficfilterlisttrafficfilteriddirection)
- [LocalAddressRanges](#userprofilenametrafficfilterlisttrafficfilteridlocaladdressranges)
- [LocalPortRanges](#userprofilenametrafficfilterlisttrafficfilteridlocalportranges)
- [Protocol](#userprofilenametrafficfilterlisttrafficfilteridprotocol)
- [RemoteAddressRanges](#userprofilenametrafficfilterlisttrafficfilteridremoteaddressranges)
- [RemotePortRanges](#userprofilenametrafficfilterlisttrafficfilteridremoteportranges)
- [RoutingPolicyType](#userprofilenametrafficfilterlisttrafficfilteridroutingpolicytype)
- [TrustedNetworkDetection](#userprofilenametrustednetworkdetection)
- [UseRasCredentials](#userprofilenameuserascredentials)
<!-- VPNv2-Tree-End -->
<!-- Device-{ProfileName}-Begin -->
@ -2142,7 +2140,7 @@ Required when the native profile specifies EAP authentication. EAP configuration
<!-- Device-{ProfileName}-NativeProfile-Authentication-Eap-Configuration-Description-Begin -->
<!-- Description-Source-DDF -->
HTML encoded XML of the EAP configuration. For more information about EAP configuration XML, see <https://docs.microsoft.com/windows/client-management/mdm/eap-configuration>.
HTML encoded XML of the EAP configuration. For more information,see [EAP configuration](eap-configuration.md).
<!-- Device-{ProfileName}-NativeProfile-Authentication-Eap-Configuration-Description-End -->
<!-- Device-{ProfileName}-NativeProfile-Authentication-Eap-Configuration-Editable-Begin -->
@ -6367,7 +6365,7 @@ Required when the native profile specifies EAP authentication. EAP configuration
<!-- User-{ProfileName}-NativeProfile-Authentication-Eap-Configuration-Description-Begin -->
<!-- Description-Source-DDF -->
HTML encoded XML of the EAP configuration. For more information about EAP configuration XML, see <https://docs.microsoft.com/windows/client-management/mdm/eap-configuration>.
HTML encoded XML of the EAP configuration. For more information,see [EAP configuration](eap-configuration.md).
<!-- User-{ProfileName}-NativeProfile-Authentication-Eap-Configuration-Description-End -->
<!-- User-{ProfileName}-NativeProfile-Authentication-Eap-Configuration-Editable-Begin -->